BadVPN – Blame information for rev 1
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
1 | office | 1 | |
2 | Fuzzing the lwIP stack (afl-fuzz requires linux/unix or similar) |
||
3 | |||
4 | This directory contains a small app that reads Ethernet frames from stdin and |
||
5 | processes them. It is used together with the 'american fuzzy lop' tool (found |
||
6 | at http://lcamtuf.coredump.cx/afl/) and the sample inputs to test how |
||
7 | unexpected inputs are handled. The afl tool will read the known inputs, and |
||
8 | try to modify them to exercise as many code paths as possible, by instrumenting |
||
9 | the code and keeping track of which code is executed. |
||
10 | |||
11 | Just running make will produce the test program. |
||
12 | |||
13 | Then run afl with: |
||
14 | |||
15 | afl-fuzz -i inputs/<INPUT> -o output ./lwip_fuzz |
||
16 | |||
17 | and it should start working. It will probably complain about CPU scheduler, |
||
18 | set AFL_SKIP_CPUFREQ=1 to ignore it. |
||
19 | If it complains about invalid "/proc/sys/kernel/core_pattern" setting, try |
||
20 | executing "sudo bash -c 'echo core > /proc/sys/kernel/core_pattern'". |
||
21 | |||
22 | The input is split into different subdirectories since they test different |
||
23 | parts of the code, and since you want to run one instance of afl-fuzz on each |
||
24 | core. |
||
25 | |||
26 | When afl finds a crash or a hang, the input that caused it will be placed in |
||
27 | the output directory. If you have hexdump and text2pcap tools installed, |
||
28 | running output_to_pcap.sh <outputdir> will create pcap files for each input |
||
29 | file to simplify viewing in wireshark. |
||
30 | |||
31 | The lwipopts.h file needs to have checksum checking off, otherwise almost every |
||
32 | packet will be discarded because of that. The other options can be tuned to |
||
33 | expose different parts of the code. |
||
34 |